diff --git a/pkg/config/rpc_config.go b/pkg/config/rpc_config.go index c9b0a1630..66ab8c4c1 100644 --- a/pkg/config/rpc_config.go +++ b/pkg/config/rpc_config.go @@ -29,8 +29,10 @@ type ( // TLS describes SSL/TLS configuration. TLS struct { - BasicService `yaml:",inline"` - CertFile string `yaml:"CertFile"` - KeyFile string `yaml:"KeyFile"` + BasicService `yaml:",inline"` + RootCA []string `yaml:"RootCAs"` + InsecureSkipVerify bool `yaml:"InsecureSkipVerify"` + CertFile string `yaml:"CertFile"` + KeyFile string `yaml:"KeyFile"` } ) diff --git a/pkg/services/rpcsrv/server.go b/pkg/services/rpcsrv/server.go index d58d68f2e..494288149 100644 --- a/pkg/services/rpcsrv/server.go +++ b/pkg/services/rpcsrv/server.go @@ -4,6 +4,8 @@ import ( "bytes" "context" "crypto/elliptic" + "crypto/tls" + "crypto/x509" "encoding/binary" "encoding/hex" "encoding/json" @@ -13,6 +15,7 @@ import ( "math/big" "net" "net/http" + "os" "strconv" "strings" "sync" @@ -409,7 +412,27 @@ func (s *Server) Start() { } if cfg := s.config.TLSConfig; cfg.Enabled { + caCertPool := x509.NewCertPool() + for _, f := range cfg.RootCA { + data, err := os.ReadFile(f) + if err != nil { + s.errChan <- err + return + } + + caCertPool.AppendCertsFromPEM(data) + } + for _, srv := range s.https { + if len(cfg.RootCA) == 0 { + s.log.Warn("client CAs are not provided, mTLS is disabled") + cfg.InsecureSkipVerify = true + } + srv.TLSConfig = &tls.Config{ + ClientCAs: caCertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + InsecureSkipVerify: cfg.InsecureSkipVerify, + } srv.Handler = http.HandlerFunc(s.handleHTTPRequest) s.log.Info("starting rpc-server (https)", zap.String("endpoint", srv.Addr))